congrats everyone on your two free months of credit monitoring
A certain subset of people: “B-but at least it stops kids seeing photos of dental decay!!!1111”
…what?
my friend who also lives in the uk was unable to view a Reddit post that had a picture of dental decay because it was marked as nsfw and Reddit requires you to verify age using ID/selfie to be in compliance with the uk’s Online Safety Act to see anything marked as nsfw.
my comment was a play on the people who think this is all worth it because it might prevent kids from seeing porn
More people got I then didn’t. I clearly didn’t.
That’s why I used a picture of my anus for my age verification photo. The wrinkles are what sold it, I think.
Politicians: That’s the point.
Joking aside, now that I think about it, what difference does does it make if companies are stealing infos and spying on you with government mandated age verification checks, and hackers stealing your government mandated age verification info? This just reinforces my view that governments (and companies) are nothing but glorified gangsters.
A hacker stealing your id can do way more malicious stuff like more expertly crafted phishing and identity fraud just to name two.
No one involved in this from the government to the companies is innocent in this chain though in my opinion. A breach is always bound to happen.
To me giving a company or government permission to create the databases allowed for mass facial recognition is the same thing as giving the facial recognition data to criminals. It will be leaked/hacked/sold, etc. It is only a matter of time.
How many Social security numbers in the U.S. have been leaked/hacked/sold/illegally transferred? ~340 million.
Facial recognition will be a near useless tool for security in 10 years, and 100% for population monitoring at the rate we are going.
Option 3: companies that you pay to provide authentication service. Regulated so that they clearly tell you if they are subsidizing service outside of your payments.
We nearly already do this with certificate services and they would probably be in a good position to offer an id service.
Option 3: companies that you pay to provide authentication service. Regulated so that they clearly tell you if they are subsidizing service outside of your payments.
Then you just need to hack this company instead of Discord, you only change target.
Proofs the UK is a shithole as well funnily enough.
Nothing against the Brits but their government oh damn that’s bad.
Wait til you see the next one.
:(
Yep. This is just the first. As long as individuals submit to these ID verifications, services which provide them will be highly targeted. I find it ridiculous that 1.5 million people actually submitted their info to access discord instead of finding a workaround or alternative. I can only imagine how many are gullible enough to verify on porn sites.
Well before the UK online ID laws, I saw some memes about people getting asked for ID as proof of age for NSFW servers, just to send to server admins. I figured it was a ID fraud scheme of some sort, but now I’d chalk it up to manic “protect the children” believers.
We’ll be reminiscing about good old boring Starmer once Lord Gobshite inevitably gets voted in by a load of gammons
The Labour under Starmer is closet Tory. I wish that the popular Manchester Labour mayor (whose name I forgot) takes his place as PM, which actual leftist politicians try to make him to be. Although this will be a Sysiphean task under the ruthless politicking in British politics and Labour Party’s own strict rule on who could become PM.
Andy Burnham!
the only person who’s allowed to verify my age is my cat because he won’t stop being a dick about it
I’d like to use your cat verification system too.
And this is why this provide xyz private information for verification bs should be illegal
And why any service asking it should be moved on from.
Pretty sure these people could have found a teamspeak, matrix, or mumble server without the requirement.
deleted by creator
What happened to “Don’t share your real identity online”? Oh… Social Media.
In this case, it’s the opposite for people in the UK. It’s illegal to not verify age.
More than half of them turn out to be AI
They’re all screenshots from Detroit: Become Human
Anyone still defending age verification online is an idiot.
I don‘t think I‘ve ever seen someone defend it online but there were a few people laughing it off which is not much better.
Too be fair, they were before this incident too.
Thank god I never gave them an image.
So, I looked at age verification - it was made clear photos were on device only and never transmitted.
If this turns out to be false, then the legal fallout would be apocalyptic.
(Edit: or not, see the comment by ambitiousprocess below)
What legal fallout? Discord made users agree to new terms just a week ago that involves forced arbitration.
Forced arbitration clauses are not legal in many European jurisdictions, so “agreeing” to them didn’t actually do anything.
Are they legal in any EU jurisdictions? I’d hope not.
Not to mention half of their TOS being illegal/unenforceable in the first place.
Dunno, just didn’t want to make a statement I’m not sure of.
Forced arbitration tends to backfire massively when you have something of this scale because of everyone starts doing it. The cost of that forced arbitration is more than what the lawsuits would have been without it. It’s a big reason why like steam got rid of it. If you get too many people trying to go after you, it’s just not worth it and costs too much.
And US courts allow companies to reverse force abortion if it no longer suits the company!
I’m not sure if Discord’s ToS apply to zendesk
Sounds like Discord is about to have 2 million cases of arbitration to sort out.
One person takes them to arbitration, it’s short work for their legal team, if 1000 do it’s harder, if 100,000 do, you still have to respond in a timely manner. The costs would be astronomical.
Valve and a few others removed it for that reason, it’s a bomb waiting to blow.
Here’s the information directly from the FAQ as of right now:
Q: Is my data stored when I use Face Scan or Scan ID verification?
A: Discord and k-ID do not permanently store personal identity documents or your video selfies. The image of your identity document and the ID face match selfie are deleted directly after your age group is confirmed, and the video selfie used for facial age estimation never leaves your device.
That sounds like the video stays on your device but the photos do not.
Big company lies again what a big surprise
Yeah, but those methods of verification weren’t the subject of this breach, this was some manual bullshit done through Zendesk.
Where is that small print? It should be archived before Discord tries to change it.
Check down on data security ;)
Looks like it’s already been archived: https://web.archive.org/web/20250930051220/https://support.discord.com/hc/en-us/articles/30326565624343-How-to-Complete-Age-Verification-on-Discord
It’s also here:
Idk it doesn’t seem like there are any legal consequences for tech companies anymore.
Definitely not, laws are only for the poors.
you agree to legal mediation other than a court in their terms of service, so… not really
Those don’t always hold up, especially when the shit is really hitting the fan.
“dont always… when it hits the fan” is a little too elusive compared to a legal document you agreed to online imho so i will not necessarily hold to that
Yep that’s a lot of stuff, it’s a money spending contest.
These were photos submitted via the compromised support provider (Zendesk) via the Discord support portal.
Automated age verification via their partner (k-ID, which has its own issues) is a separate system, which was only available to some users. Other users had to contact Discord support manually and submit photo ID, which went through Zendesk, which was then compromised in this breach.
Additionally, for the automated process, it’s the video selfie that’s on-device and never transmitted, but photos of your ID and selfie photo are transmitted, just supposedly deleted afterwards. Those ones are *not included in this breach, as far as we’re aware, as it’s an entirely different third-party with wholly separate infrastructure.
Which is why you farm off stuff like this to third parties whenever possible
DiscordCorp will get a slap on the wrist and give people an offer of a free six months of discord turbo (so long as you provide payment info so it can auto-renew on month seven).
But ANY meaningful consequences will go toward Zendesk Corp for not doing what they were supposed to. And… then everyone will just use ZZendesk instead
Well, yeah. Discord isn’t exactly at fault here, they’re operating as best they can within the boundaries of a piece of legislation that could be best described as gods gift to the “I-told-you-so” crowd. This breach is exactly what everyone was warning would happen with the UK ID laws, and discord got stung first as they’re one of the few companies trying to adhere to the law in good faith (which, yes, why in hell they’re trying to do this is good faith is a very good question)
In my opinion, they’re still somewhat at fault, because this was them failing to find and configure their software to work with a third-party identity provider who’s infrastructure was built to handle the security of sensitive information, and just choosing to use email through Zendesk because it was easier in the meantime. A platform that I should note has been routinely accessed again and again by attackers, not just for Discord, but for all sorts of other companies.
The main problem is that legislation like the Online Safety Act require some privacy protections, like not collecting or storing certain data unless necessary, but they don’t require any particular security measures to be in place. This means that, theoretically, nothing stops a company from passing your ID to their servers in cleartext, for example.
Now compare this to industries like the credit card industry, where they created PCI DSS, which mandates specific security practices. This is why you don’t often see breaches of any card networks or issuers themselves, and why most fraud is external to the systems that actually process payments through these cards. (e.g. phishing attacks that get your card info, or a store that has your card info already getting hacked)
This is a HUGE oversight, and one that will lead to things like this happening over and over unless it becomes unprofitable for companies to not care.
While there’s plenty of merit to what you’re saying, I’m too sick to have a coherent thought beyond maybe pointing out that the main issue with legislation like this isn’t that it doesn’t specify security requirements, but that it’s forcing people who do not have infrastructure established to collect and manage sensitive info of this nature in the first place.
Discord never set out to collect this much PII, and as far as I’m aware there’s never been a breach of their payment information processing. Like you say, it’s an established thing to handle payments and is fairly routine to implement. There is no routine method of handling ID verification yet, and the solutions that exist were forced to be developed rapidly and with no standards.
The legislation is at fault for putting people in this situation - that they used Zendesk was a boneheaded move (I haven’t seen details of the breach, was that really the vector that got attacked?) and sure, they’re at some degree of fault for letting this happen. But the vast majority of the blame lies at the feet of the asinine legislation that all but explicitly mandated that this situation arise.
Oh, of course the legislation is to blame for a lot of this in the end. I’m just saying that Discord could have already partnered with a number of identity verification services that do already have this infrastructure up and running, with standardized and documented ways to call their APIs to both verify and check the verification of a user.
At the end of the day, Discord chose to implement a convoluted process of having users email Discord, upload IDs, then have Discord pull the IDs back down from Zendesk and verify them, rather than implementing a system where users could have simply gone to a third-party verification website, done all the steps there, had their data processed much more securely, then have the site just send Discord a message saying “they’re cool, let 'em in”
Literally days ago i was accessing a nsfw channel and i got “well, you should send to us your ID and things so i can verificate you” and i thought “no way! I don’t want to give my infos, if they have a data breach we are all doomed” and i ignore, well i don’t want to say “i told you so” but…
Neat summary and cleanup - editing original post to point at this.
I’ve criticized the sort of personal information that is allowed to be managed by banking entities in the cases of Accidental Americans, where people who have nothing to do with America except that they were born in the US have their data handled by private entities to be passed onto governments they’ve never been in. Public entities that should handle and be responsible for it in their actual home countries want to wash their hands off from them and there’s too much money against too small of a minority for anyone to care about their rights. It doesn’t matter how banks have consistently proven that they or their staff can act criminally, either.
At least here, it affects a lot more people so it will likely bring in the change and reform it needs, even if the sensitivity of this data is significantly less.
Gonna have to say, this guy is definitely gonna be screwed by this:
Keep on keeping on 👍
hey don’t share my discord id photo please
Hmm, I don’t recall ever doing age verification for Discord. Were older accounts grandfather’d in, or is it currently limited by region or something?
Any time your account gets locked for age reason it requires it. So if you have never had an age lock it’s unlikely you had to do it.
It’s as easy as someone reporting you for being underage with no proof or even just saying “I’m 14 and what is this” as a meme to get locked tho.
Hell the auto flag system can hit you if you just talk like a kid sometimes.
I believe people from
EUUK and people who say they were under 13 and got reported. They needed to send in a pic of them holding their ID to get unbanned.edit: UK people not EU
as some pointed out, eu folks didnt have to verify anything. afaik, its the uk folks that are affected
damn. I’m a 2 month old infant. Will i need to send in my ID??
You’re much too young for the Internet. Please submit your SSN and parents’ credit card information.
Foot print
Am from EU. Two accounts, but no ID confirmation required for either.
From EU, got nothing
Well, did you get reported and did you ever say you were under 13?
I don’t know and I don’t remember. I was replying to the ‘people from the EU’ bit, as it does not seem correct to me.
You often get age verification if your account got blocked because someone reported you to be underage
I think it’s a UK thing
They have been passing legislation to basically dox their citizens for them to gain access to the internet
It was obvious things like this will happen, unlike banks and government sites social media sites don’t have strict cyber security requirements and they want these sites to have a government ID. It was a bad idea from the start.
The Russia thanks UK for this valuable information
Yeah it’s like the government want to get sued. They are better than the previous administration but that’s a pretty low bar
Also currently being rolled out in Australia too 😔
Including mine. Nice job Discord! Thanks for the fake age ban…this was their plan, wasn’t it?
Fuck Discord
discord isn’t at fault here. I don’t say they do good stuff either, i just want to stick to the facts. It’s the UK government who forced them in the first place
They enforced the verification, but discord was supposed to delete the images right after.
Are you really defending somebody else’s income generating business?
Discord is a threat actor
nvm i wanted to say the complete opposite, my brain wanted to say two sentences at the same time and mixed up the words. corrected it now
I agree, but fuck this dumb law first and foremost.
